A method for obtaining digital signatures and public-key cryptosystems
Communications of the ACM
On the Security of the KMOV Public Key Cryptosystem
CRYPTO '97 Proceedings of the 17th Annual International Cryptology Conference on Advances in Cryptology
On the Design of RSA with Short Secret Exponent
ASIACRYPT '99 Proceedings of the International Conference on the Theory and Applications of Cryptology and Information Security: Advances in Cryptology
Finding Small Roots of Univariate Modular Equations Revisited
Proceedings of the 6th IMA International Conference on Cryptography and Coding
Lattice Reduction in Cryptology: An Update
ANTS-IV Proceedings of the 4th International Symposium on Algorithmic Number Theory
Cryptanalysis of RSA with private key d less than N0:292
EUROCRYPT'99 Proceedings of the 17th international conference on Theory and application of cryptographic techniques
Factorization of a 512-bit RSA modulus
EUROCRYPT'00 Proceedings of the 19th international conference on Theory and application of cryptographic techniques
On Some Attacks on Multi-prime RSA
SAC '02 Revised Papers from the 9th Annual International Workshop on Selected Areas in Cryptography
Cryptanalysis of Unbalanced RSA with Small CRT-Exponent
CRYPTO '02 Proceedings of the 22nd Annual International Cryptology Conference on Advances in Cryptology
The Two Faces of Lattices in Cryptology
CaLC '01 Revised Papers from the International Conference on Cryptography and Lattices
Low Secret Exponent RSA Revisited
CaLC '01 Revised Papers from the International Conference on Cryptography and Lattices
Estimating the Prime-Factors of an RSA Modulus and an Extension of the Wiener Attack
ACNS '07 Proceedings of the 5th international conference on Applied Cryptography and Network Security
Cryptanalysis of Short Exponent RSA with Primes Sharing Least Significant Bits
CANS '08 Proceedings of the 7th International Conference on Cryptology and Network Security
Low-cost client puzzles based on modular exponentiation
ESORICS'10 Proceedings of the 15th European conference on Research in computer security
Solving generalized small inverse problems
ACISP'10 Proceedings of the 15th Australasian conference on Information security and privacy
ACISP'05 Proceedings of the 10th Australasian conference on Information Security and Privacy
RSA with balanced short exponents and its application to entity authentication
PKC'05 Proceedings of the 8th international conference on Theory and Practice in Public Key Cryptography
Parallel shortest lattice vector enumeration on graphics cards
AFRICACRYPT'10 Proceedings of the Third international conference on Cryptology in Africa
Efficient CRT-RSA decryption for small encryption exponents
CT-RSA'10 Proceedings of the 2010 international conference on Topics in Cryptology
Cryptanalysis of RSA with a small parameter
ACISP'12 Proceedings of the 17th Australasian conference on Information Security and Privacy
Small private-exponent attack on RSA with primes sharing bits
ISC'07 Proceedings of the 10th international conference on Information Security
Cryptanalysis of multi-prime RSA with small prime difference
ICICS'12 Proceedings of the 14th international conference on Information and Communications Security
On the improvement of fermat factorization
NSS'12 Proceedings of the 6th international conference on Network and System Security
On the improvement of Fermat factorization using a continued fraction technique
Future Generation Computer Systems
Hi-index | 0.00 |
At Asiacrypt '99, Sun, Yang and Laih proposed three RSA variants with short secret exponent that resisted all known attacks, including the recent Boneh-Durfee attack from Eurocrypt '99 that improved Wiener's attack on RSA with short secret exponent. The resistance comes from the use of unbalanced primes p and q. In this paper, we extend the Boneh-Durfee attack to break two out of the three proposed variants. While the Boneh-Durfee attack was based on Coppersmith's lattice-based technique for finding small roots to bivariate modular polynomial equations, our attack is based on its generalization to trivariate modular polynomial equations. The attack is heuristic but works well in practice, as the Boneh-Durfee attack. In particular, we were able to break in a few minutes the numerical examples proposed by Sun, Yang and Laih. The results illustrate once again the fact that one should be very cautious when using short secret exponent with RSA.